	native-__get_tcb: permit
	native-__getcwd: permit
	native-__semctl: permit
	native-__set_tcb: permit
	native-__sysctl: permit
	native-__tfork: permit
	native-__threxit: permit
	native-__thrsigdivert: permit
	native-__thrsleep: permit
	native-__thrwakeup: permit
	native-accept: permit
	native-bind: sockaddr eq "inet-[0.0.0.0]:0" then deny[eacces]
	native-bind: sockaddr match "/tmp" then permit
	native-bind: sockaddr match "/var/tmp" then permit
	native-bind: sockaddr match "${TMPDIR}" then permit
	native-bind: sockaddr match "${WRKDIR}" then permit
	native-bind: sockaddr match "/<non-existent filename>: *" then deny[enoent]
	native-break: permit
	native-chdir: permit
	native-chflags: filename match "/tmp" then permit
	native-chflags: filename match "/var/tmp" then permit
	native-chflags: filename match "${TMPDIR}" then permit
	native-chflags: filename match "${WRKDIR}" then permit
	native-chflags: filename match "/<non-existent filename>: *" then deny[enoent]
	native-chmod: filename match "/tmp" then permit
	native-chmod: filename match "/var/tmp" then permit
	native-chmod: filename match "${TMPDIR}" then permit
	native-chmod: filename match "${WRKDIR}" then permit
	native-chmod: filename match "/<non-existent filename>: *" then deny[enoent]
	native-chown: filename match "/tmp" then permit
	native-chown: filename match "/var/tmp" then permit
	native-chown: filename match "${TMPDIR}" then permit
	native-chown: filename match "${WRKDIR}" then permit
	native-chown: filename match "/<non-existent filename>: *" then deny[enoent]
	native-chroot: permit
	native-clock_getres: permit
	native-clock_gettime: permit
	native-close: permit
	native-closefrom: permit
	native-compat_43_ogetdtablesize: permit
	native-compat_43_ogetpagesize: permit
	native-compat_43_olseek: permit
	native-connect: sockaddr eq "family(0)" then permit
	native-connect: sockaddr match "/tmp" then permit
	native-connect: sockaddr match "/var/tmp" then permit
	native-connect: sockaddr match "${TMPDIR}" then permit
	native-connect: sockaddr match "${WRKDIR}" then permit
	native-connect: sockaddr match "/<non-existent filename>: *" then deny[enoent]
	native-dup: permit
	native-dup2: permit
	native-dup3: permit
	native-execve: true then permit
	native-exit: permit
	native-fchdir: permit
	native-fchflags: permit
	native-fchmod: permit
	native-fchmodat: filename match "/tmp" then permit
	native-fchmodat: filename match "/var/tmp" then permit
	native-fchmodat: filename match "${TMPDIR}" then permit
	native-fchmodat: filename match "${WRKDIR}" then permit
	native-fchmodat: filename match "/<non-existent filename>: *" then deny[enoent]
	native-fchown: permit
	native-fchownat: filename match "/tmp" then permit
	native-fchownat: filename match "/var/tmp" then permit
	native-fchownat: filename match "${TMPDIR}" then permit
	native-fchownat: filename match "${WRKDIR}" then permit
	native-fchownat: filename match "/<non-existent filename>: *" then deny[enoent]
	native-fcntl: permit
	native-flock: permit
	native-fork: permit
	native-fpathconf: permit
	native-fsread: true then permit
	native-fstat: permit
	native-fstatfs: permit
	native-fswrite: filename eq "" then deny[enoent]
	native-fswrite: filename eq "/dev/crypto" then permit
	native-fswrite: filename eq "/dev/null" then permit
	native-fswrite: filename eq "/dev/ptm" then permit
	native-fswrite: filename eq "/dev/stdout" then permit
	native-fswrite: filename eq "/dev/tty" then permit
	native-fswrite: filename eq "/dev/zero" then permit
	native-fswrite: filename match "/tmp" then permit
	native-fswrite: filename match "/var/tmp" then permit
	native-fswrite: filename match "${DISTDIR}" then permit
	native-fswrite: filename match "${PKG_TMPDIR}" then permit
	native-fswrite: filename match "${PORTSDIR}/bulk" then permit
	native-fswrite: filename match "${PORTSDIR}/packages" then permit
	native-fswrite: filename match "${TMPDIR}" then permit
	native-fswrite: filename match "${WRKDIR}" then permit
	native-fswrite: filename match "/<non-existent filename>: *" then deny[enoent]
	native-fsync: permit
	native-ftruncate: permit
	native-futimes: permit
	native-futimens: permit
	native-getdents: permit
	native-getegid: permit
	native-getentropy: permit
	native-geteuid: permit
	native-getfsstat: permit
	native-getgid: permit
	native-getgroups: permit
	native-getlogin: permit
	native-getpeername: permit
	native-getpgid: permit
	native-getpgrp: permit
	native-getpid: permit
	native-getppid: permit
	native-getpriority: permit
	native-getrlimit: permit
	native-getrusage: permit
	native-getsid: permit
	native-getsockname: permit
	native-getsockopt: permit
	native-getthrid: permit
	native-gettimeofday: permit
	native-getuid: permit
	native-ioctl: permit
	native-issetugid: permit
	native-kevent: permit
	native-kill: permit
	native-kqueue: permit
	native-lchown: filename match "/tmp" then permit
	native-lchown: filename match "/var/tmp" then permit
	native-lchown: filename match "${TMPDIR}" then permit
	native-lchown: filename match "${WRKDIR}" then permit
	native-lchown: filename match "/<non-existent filename>: *" then deny[enoent]
	native-link: filename match "/tmp" and filename[1] match "/tmp" then permit
	native-link: filename match "/var/tmp" and filename[1] match "/var/tmp" then permit
	native-link: filename match "${TMPDIR}" and filename[1] match "${TMPDIR}" then permit
	native-link: filename match "${WRKDIR}" and filename[1] match "${WRKDIR}" then permit
	native-link: filename match "/<non-existent filename>: *" then deny[enoent]
	native-linkat: filename match "/tmp" and filename[1] match "/tmp" then permit
	native-linkat: filename match "/var/tmp" and filename[1] match "/var/tmp" then permit
	native-linkat: filename match "${TMPDIR}" and filename[1] match "${TMPDIR}" then permit
	native-linkat: filename match "${WRKDIR}" and filename[1] match "${WRKDIR}" then permit
	native-linkat: filename match "/<non-existent filename>: *" then deny[enoent]
	native-listen: permit
	native-lseek: permit
	native-madvise: permit
	native-mincore: permit
	native-minherit: permit
	native-mknod: filename match "/tmp" then permit
	native-mknod: filename match "/var/tmp" then permit
	native-mknod: filename match "${TMPDIR}" then permit
	native-mknod: filename match "${WRKDIR}" then permit
	native-mknodat: filename match "/tmp" then permit
	native-mknodat: filename match "/var/tmp" then permit
	native-mknodat: filename match "${TMPDIR}" then permit
	native-mknodat: filename match "${WRKDIR}" then permit
	native-mlock: permit
	native-mlockall: permit
	native-mmap: permit
	native-mprotect: permit
	native-mquery: permit
	native-msync: permit
	native-munmap: permit
	native-nanosleep: permit
	native-pathconf: permit
	native-pipe: permit
	native-pipe2: permit
	native-poll: permit
	native-ppoll: permit
	native-pread: permit
	native-pselect: permit
	native-pwrite: permit
	native-quotactl: permit
	native-read: permit
	native-readv: permit
	native-recvfrom: permit
	native-recvmsg: permit
	native-rename: filename match "/tmp" and filename[1] match "/tmp" then permit
	native-rename: filename match "/tmp" and filename[1] match "/var/tmp" then permit
	native-rename: filename match "/tmp" and filename[1] match "${WRKDIR}" then permit
	native-rename: filename match "/var/tmp" and filename[1] match "/var/tmp" then permit
	native-rename: filename match "/var/tmp" and filename[1] match "${WRKDIR}" then permit
	native-rename: filename match "${TMPDIR}" and filename[1] match "${TMPDIR}" then permit
	native-rename: filename match "${TMPDIR}" and filename[1] match "${WRKDIR}" then permit
	native-rename: filename match "${WRKDIR}" and filename[1] match "${WRKDIR}" then permit
	native-rename: filename match "/<non-existent filename>: *" then deny[enoent]
	native-renameat: filename match "/tmp" and filename[1] match "/tmp" then permit
	native-renameat: filename match "/tmp" and filename[1] match "/var/tmp" then permit
	native-renameat: filename match "/tmp" and filename[1] match "${WRKDIR}" then permit
	native-renameat: filename match "/var/tmp" and filename[1] match "/var/tmp" then permit
	native-renameat: filename match "/var/tmp" and filename[1] match "${WRKDIR}" then permit
	native-renameat: filename match "${TMPDIR}" and filename[1] match "${TMPDIR}" then permit
	native-renameat: filename match "${TMPDIR}" and filename[1] match "${WRKDIR}" then permit
	native-renameat: filename match "${WRKDIR}" and filename[1] match "${WRKDIR}" then permit
	native-renameat: filename match "/<non-existent filename>: *" then deny[enoent]
	native-sched_yield: permit
	native-select: permit
	native-semctl: permit
	native-semget: permit
	native-semop: permit
	native-sendmsg: sockaddr match "/tmp" then permit
	native-sendmsg: sockaddr match "/var/tmp" then permit
	native-sendmsg: sockaddr match "${TMPDIR}" then permit
	native-sendmsg: sockaddr match "${WRKDIR}" then permit
	native-sendmsg: sockaddr match "/<non-existent filename>: *" then deny[enoent]
	native-sendsyslog: permit
	native-sendto: permit
	native-setegid: permit
	native-setgid: permit
	native-setgroups: permit
	native-setitimer: permit
	native-setpgid: permit
	native-setpriority: permit
	native-setregid: permit
	native-setresgid: permit
	native-setresuid: permit
	native-setreuid: permit
	native-setrlimit: permit
	native-setsid: permit
	native-setsockopt: permit
	native-setuid: permit
	native-shmat: permit
	native-shmctl: permit
	native-shmdt: permit
	native-shmget: permit
	native-shutdown: permit
	native-sigaction: permit
	native-sigaltstack: permit
	native-sigpending: permit
	native-sigprocmask: permit
	native-sigreturn: permit
	native-sigsuspend: permit
	native-socket: permit
	native-socketpair: permit
	native-statfs: permit
	native-symlink: filename match "/tmp" then permit
	native-symlink: filename match "/var/tmp" then permit
	native-symlink: filename match "${TMPDIR}" then permit
	native-symlink: filename match "${WRKDIR}" then permit
	native-symlink: filename match "/<non-existent filename>: *" then deny[enoent]
	native-symlink: string eq "" and filename eq "" then deny[enoent]
	native-symlinkat: filename match "/tmp" then permit
	native-symlinkat: filename match "/var/tmp" then permit
	native-symlinkat: filename match "${TMPDIR}" then permit
	native-symlinkat: filename match "${WRKDIR}" then permit
	native-symlinkat: filename match "/<non-existent filename>: *" then deny[enoent]
	native-symlinkat: string eq "" and filename eq "" then deny[enoent]
	native-sync: permit
	native-umask: permit
	native-utimensat: permit
	native-utimes: permit
	native-vfork: permit
	native-wait4: permit
	native-write: permit
	native-writev: permit

